[cap-talk] Boebert's quote, Beobert attack on DVH, conspiring communicators
Ka-Ping Yee
cap-talk at zesty.ca
Thu Jul 20 18:43:18 EDT 2006
On Thu, 20 Jul 2006, Eric Jacobs wrote:
> The key issue is not whether the capabilities are data but whether the
> representation of those capabilities occurs in a local or global
> namespace. If Alice's representation of a cap is specific to her
> protection domain, and she wants to communicate it to Bob, then she must
> necessarily rely on some supervisory entity that knows how to translate
> it into Bob's local namespace. [...]
>
> If the representation of capabilities is global, however, it becomes
> infeasible for any entity to supervise the exchange of capabilties
> because the conspirators in this case can simply pass off the
> caps as opaque data. This is where * and ss become unenforcable.
I think the key question is how capabilities are honoured. In a single
machine, the operating system can maintain a distinction between data
and capabilities and refuse to honour data as though it were a
capability. So, for example, a process can use a c-list index to refer
to a capability, and it doesn't matter that the c-list index is guessable.
Even if the representation of capabilities is global, the receiver of a
message that carries the representation a capability still has the power
to decide whether to interpret that representation as the capability.
So it comes down to whether the system consideres mere possession of the
bits of the capability is sufficient to wield the capability.
-- ?!ng
More information about the cap-talk
mailing list